1. Information We Collect

We may collect and process the following categories of personal information:

• Contact information: Name, email address, phone number, company name, job title, and inquiry details submitted through our contact forms or service engagement process.
• Business and procurement data: Vendor contract details, procurement requirements, budget ranges, organizational structure, and other business information shared in connection with our IT Procurement Advisory or PRaaS™ services.
• AI interaction data: Messages and inputs submitted to the Onyx AI assistant.
• Technical data: IP address, browser type and version, operating system, referring URLs, pages visited, and time spent on pages (collected via cookies, with your consent).
• Cookie and tracking data: As described in Section 4 below.

We do not knowingly collect sensitive personal information such as government ID numbers, financial account details, or health data through this Site. Business and procurement data shared in the context of our advisory services is treated as confidential and governed by any applicable service agreements.

2. How We Use Your Information

We use the information we collect to:

• Deliver, improve, and personalize our IT Procurement Advisory and PRaaS™ services.
• Operate and improve the Site and the Onyx AI assistant.
• Facilitate communication about procurement engagements, vendor management, and service inquiries.
• Develop vendor governance strategies, contract health assessments, and sourcing recommendations on behalf of clients.
• Analyze aggregate usage patterns and Site performance.
• Comply with applicable laws, regulations, and contractual obligations.
• Detect, prevent, and address fraud, security incidents, or technical issues.

We do not use your personal information for automated decision-making or profiling that produces legal or similarly significant effects.

3. How We Share Your Information

We do not sell or rent personal information. We may share information with:

• Clients & Engagement Partners: To deliver IT Procurement Advisory and PRaaS™ services, with appropriate consent and confidentiality agreements in place.
• Service Providers: Trusted vendors assisting with analytics, communications, security, and IT/operational support, acting as data processors on our behalf.
• Anthropic, Inc.: Powers the Onyx AI assistant. See Section 7 for details.
• Legal & Regulatory Authorities: When required by law or to protect our rights, users, or property.

Business and procurement information shared with us in the context of a service engagement is never shared with third parties outside the scope of that engagement without your explicit consent.

4. Cookies & Tracking Technologies

We use the following categories of cookies on this Site:

• Strictly Necessary: Session tokens and security protections. Always active; no consent required.
• Functional: Onyx AI chatbot session context. Active only with your consent.
• Analytics: Google Analytics (_ga, _ga_*), aggregated, anonymized usage data to improve our Site. Active only with your consent.

You may manage or withdraw cookie consent at any time via the Cookie Settings option in the site footer. Disabling certain cookies may impact Site features.

5. Legal Basis for Processing (GDPR)

For visitors located in the European Economic Area (EEA) or United Kingdom, we process personal data on the following legal bases:

• Consent: functional and analytics cookies, and Onyx AI interactions.
• Legitimate interests: site security, fraud prevention, and operational analytics.
• Contractual necessity: responding to service inquiries and delivering procurement advisory engagements.
• Legal obligation: where required by applicable law.

6. International Data Transfers

Merci Technologies, Inc. is based in the United States. If you are accessing our Site from outside the US, including from the European Economic Area, your personal data will be transferred to, stored, and processed in the United States. Where required, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission.

7. Third-Party Processors

We share data with the following categories of third-party service providers acting as data processors on our behalf:

• Anthropic, Inc.: Powers the Onyx AI assistant. Chat inputs may be processed by Anthropic in accordance with their Privacy Policy and applicable data processing agreements.
• Google Analytics: Aggregate, anonymized usage data only, with your consent. Governed by Google’s Privacy Policy.
• Hosting and infrastructure providers: For secure delivery and operation of the Site.

We do not sell, rent, or share your personal information with third parties for marketing or advertising purposes.

8. Children’s Privacy

This Site is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided personal information, we will delete it promptly. Contact: privacy@mercitech.io

9. Data Retention

• Contact and service inquiry submissions: up to 24 months from receipt.
• Procurement advisory and PRaaS™ engagement data: retained for the duration of the engagement plus 36 months, or as required by applicable law or contract.
• Cookie consent records: 365 days.
• Google Analytics data: up to 24 months, in aggregate anonymized form.
• Onyx AI session data: not retained beyond the active session unless otherwise disclosed.

10. Data Security

We implement appropriate technical and organizational measures including HTTPS encryption, access controls, and security monitoring to protect your information against unauthorized access, alteration, disclosure, or destruction. Given the nature of our procurement advisory services, we apply heightened confidentiality standards to all business and vendor data shared with us. However, no method of internet transmission is 100% secure. In the event of a data breach affecting your rights and freedoms, we will notify affected individuals and relevant authorities as required by applicable law.

11. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request erasure of your personal data.
• Restriction: Request that we limit processing of your data.
• Portability: Request your data in a structured, machine-readable format.
• Objection: Object to processing based on legitimate interests.
• Withdraw consent: At any time, without affecting lawfulness of prior processing.
• Opt out of marketing: At any time via the unsubscribe link in any communication.
• Lodge a complaint: With your local supervisory authority.

12. California Privacy Rights (CCPA / CPRA)

California residents have the following additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Know what personal information is collected, used, shared, or sold.
• Delete personal information we have collected.
• Opt out of the sale or sharing of personal information. We do not sell or share personal information.
• Correct inaccurate personal information.
• Limit use of sensitive personal information.
• Non-discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To submit a verifiable consumer request, email privacy@mercitech.io or use the Privacy Options button in the site footer. We will respond within 45 days as required by law, with the possibility of a single 45-day extension where necessary.

13. Do Not Track

Our Site does not currently respond to browser Do Not Track (DNT) signals. We will update this policy if that changes. You may manage tracking preferences via the Cookie Settings option in the footer.

14. Updates to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the effective date and version number above. Returning visitors will be prompted to review and re-confirm their cookie preferences when material changes are made. Continued use of our services constitutes acceptance of any updates.

15. Contact Us

If you have questions or concerns about this Privacy Policy or how we handle your data, please contact us:

• Email: privacy@mercitech.io
• Address: 1050 Crown Pointe Pkwy, Suite 500, Atlanta, GA 30338, USA